Advanced DNS solutions

DNSSEC

The DNS protocol (for Domain Name System) holds a key role for all internet usage in which domain names are used in logins (e-mail, web, VoIP, web services, spam filtering, etc). As one of the foundations on which the internet was built, the DNS protocol is crucial in ensuring that we find what we are looking for on the net. DNS translates domain names into the IP address used by network equipment to route traffic and data to computers, servers and other hardware.

It was originally developed in 1983 with the crucial aim of ensuring that IT networks were resistant and scalable in the light of expanding networks due to an increasing number of servers, which was making the exchange of much talked about ‘hosts’ files unmanageable. This original DNS standard, which is still used today, did not comprise a powerful security component, now an essential element in the current computer landscape. The ‘Domain Name System Security Extensions’ standard (known as DNSSEC), an extension to the DNS protocol, was designed to address DNS security shortcomings and vulnerabilites such as ‘cache poisoning’ or ‘man in the middle’ attacks. DNSSEC cannot do anything about changes to data on authority servers. It does however ensure that the resolvers have obtained this data from a trusted authority server, and that the data is complete.

DNSSEC protects the DNS by confirming the authenticity and integrity of the DNS messaging system. It checks from end-to-end that the authentication signatures are valid, and that they have been created with keys from legitimate servers (keys that have also been signed). This system creates a chain of trust at all stages of domain name resolution. If the signatures don’t match, DNSSEC can provide a notification of incompatibility and prevent the resolution from taking place, preventing the domain name from being referred to the wrong servers and ensuring that the returned information is genuine.

The verification process comprises two components:

1/ Have I definitely retrieved the information from the right place?

2/ Am I sure that the information has not been changed en route?

The DNSSEC root was signed by VeriSign and prepared for approval in July 2010. Since then, the .org registry and several ccTLD registries have implemented the protocol in their own zones. Some registries were using it prior to this (the .se registry for example), but the signing of the root enabled the chain of trust to be established from end-to-end. The implementation of the new standard at a practical level is scheduled for .com in the first half of 2011, and the global rollout should take place by the end of 2011.

The security of our networks and our clients’ domain names is of course of crucial importance to SafeBrands. We are fully committed to supporting the DNSSEC security standard. We are working with the industry leaders in DNSSEC security to ensure that we remain at the cutting edge of this technology and its development. DNSSEC operations are transparent for the end user, and are crucial to the creation of a safer and more reliable internet worldwide.